«

Hi,

In a cgi script I'm detainting an input variable as
$FORM{'input'} =~ tr/A-Z//cd;
and then passing it to a system call as
system "proggy",$FORM{'input'};

It was working in old perl 5.6 but doesn't in 5.8.
Perl complains about "Insecure dependency".
How should it be detainted now?

Thanks much!

wrote:
> In a cgi script I'm detainting an input variable as
> $FORM{'input'} =~ tr/A-Z//cd;
> and then passing it to a system call as
> system "proggy",$FORM{'input'};
>
> It was working in old perl 5.6 but doesn't in 5.8.
> Perl complains about "Insecure dependency".
> How should it be detainted now?

Didn't know the above ever was an allowed way to untaint. This is an
equivalent that does untaint:

$FORM{'input'} = join '', $FORM{'input'} =~ /[A-Z]/g;

Please also study

perldoc perlsec

--
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl

Thanks for your help. Perl has the best support of all!